Protecting Customer Data: Is Your DSAR Process Compliant?

With data privacy becoming increasingly crucial, organisations are now under significant pressure to handle customer data responsibly. One vital but often overlooked aspect of data protection is the handling and response to Subject Access Requests (SARs).

Data Subject Access Requests (DSARs) allow individuals to access personal information held by organisations.

Handling these requests can be intricate, requiring organisations to carefully navigate the landscape to comply with data protection regulations, such as the General Data Protection Regulation (GDPR).

Companies face significant challenges in this area. The Information Commissioner’s Office (ICO) recently reported receiving over 15,000 Subject Access complaints last year.

In response, the ICO has published new guidance for businesses and employers, highlighting widespread misunderstandings and the underestimation of the importance of timely responses.

Why are organisations struggling so much?

The Problem With Fulfilling DSARs

Firstly, completing a DSAR involves multiple tasks, often requiring the expertise or system access of IT teams.

Unfortunately, IT departments are already overwhelmed, and adding DSARs to their workload diverts attention from critical security operations, risking delays.

According to GDPR, organisations have one month to respond to DSARs. Failing to meet this deadline can result in fines of up to 4% of their global revenue.

Beyond compliance issues, the financial burden of managing DSARs is increasing. Surveys by privacy experts indicate that 41% estimate the average cost of a DSAR to be between £3,000 and £6,000.

As costs rise, organisations struggle to keep up, risking fines that further strain their resources, creating a vicious cycle.

Moreover, businesses must strictly adhere to GDPR while processing DSARs, including ensuring the security of the data they handle and protecting sensitive information.

To address these challenges, businesses should ask themselves:

• How can we efficiently handle DSAR tasks without overloading our teams?
• How can we minimise the costs associated with DSARs?
• How can we securely return DSAR data without breaching data protection laws?

Let’s explore the key ICO guidance to answer these questions.

Authenticating Incoming Subject Access Requests

A primary concern in the DSAR process is ensuring the authenticity of the requester. Verifying the identity of individuals making requests is crucial to prevent unauthorised access to sensitive information.

The ICO advises: “To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that: you know the identity of the requester (or the person the request is made on behalf of); and the data you hold relates to the individual in question (e.g., when an individual has similar identifying details to another person)."

Always ask for enough information to ensure that the requester (or the person they are acting for) is indeed the subject of the data.

To achieve this, organisations should implement robust authentication procedures, such as multi-factor authentication or requesting additional forms of identification.

Sending The Requested Data Back To The Subject

Once the requester's identity is verified, the next challenge is securely transmitting the requested information.

Data protection laws mandate maintaining confidentiality and preventing unauthorised disclosures.

To comply with GDPR and similar regulations, secure channels must be used for sharing personal data in response to DSARs.

The ICO suggests: “The security measures you need to take to send information securely as part of a subject access request (SAR) depend on the type of information you’re planning to send and what you think the risk is to the data. As a general rule, if a SAR was made to you by email, then there’s an expectation that you’ll reply by email, too, unless the person says otherwise.”

For SARs made via email, an inherently insecure channel, the most effective method is to use a strong email encryption protocol.

This ensures data is protected both in transit and at rest, preventing interception by malicious entities.

Reducing Costs And Meeting Deadlines

Organisations are currently finding it difficult to complete the DSAR process efficiently and cost-effectively within the one-month deadline, without overburdening their teams.

Businesses need a solution that allows personnel to handle DSARs without relying heavily on IT departments and that can authenticate and respond to requests cost-effectively.

This is where secure email solutions become invaluable.

Our secure email solution, Mailock, offers end-to-end encryption and multi-factor authentication, enabling secure transmission of sensitive information and verification of recipients’ identities before they access data.

Widely used in regulated industries like Financial Services, Mailock is intuitive and user-friendly, ensuring compliance, enhancing efficiency, and speeding up the DSAR response process.

By proactively addressing the challenges of the DSAR process, businesses can uphold data security, protect customer trust, and avoid costly regulatory fines.

References:

It's Important Not to Get Caught Out: New SARs Guidance for Employers Issued, ICO, 2023

Average Cost of a Data Subject Access Request UK, Statista, 2024

What Should We Consider When Responding to a Request?, ICO, 2023

Right of Access, Subject Access Requests, and Other Rights, ICO, 2023

Reviewed By:

Sam Kendall, 14.06.24

Sabrina McClune, 14.06.24